[Snort-users] Ignore host

Kenneth G. Arnold bkarnold at ...8060...
Fri Apr 11 07:52:07 EDT 2003

It's my impression that [$HOME_NET,!] would not solve your 
problem because $HOME_NET includes and ! 
includes everything except the one IP address including everything on your 
$EXTERNAL_NET.  The two would be effectively added together to become 
"any".  I think the only way to accomplish what you want is to write a pass 
rule for this sid for every rule in porn.rules for this IP address.  Any 
one else have an opinion?


At 09:19 AM 4/11/03 -0500, David Scott wrote:
>I'm trying to ignore traffic from a particular host, but ONLY for a specific
>set of rules (PORN.RULES). I want to use the syntax
>alert tcp $EXTERNAL_NET $HTTP_PORTS -> [$HOME_NET,!] any
>(msg:"PORN alt.binaries.pictures.erotica";
>content:"alt.binaries.pictures.erotica"; nocase; flags:A+; classtype:porn;
>sid:1836; rev:1;)
>Where I've added ! to the standard $HOME_NET variable. Is
>this acceptable? Is this the most efficient way to do this?
>David Scott
>Memphis Technology Associates

More information about the Snort-users mailing list